Thick Client Pentest: Modern Approaches and Techniques: PART 1
Hello Techie 👨💻
You are welcome here!! 😊
This blog aims to provide a security test case and a set of tools that we require while performing Thick Client Pentest.
So, I plan to divide this broad topic into sections/blogs so that you linger on a specific topic. 🦸♂️
PART 1
A thick client is an application that runs on the user’s host machine/system and communicates with the backend server or database server.
A few of the examples are listed below:
- Chrome
2. Zoom
3. Anydesk
4. Skype
With respect to Architecture, they are classified as two-tier and three-tier applications.
- Two Tier: The two-tier is based on Client-Server architecture. The two-tier architecture is like a client-server application. Direct communication takes place between client and server. There is no intermediate between client and server.
2. Three Tier:
Three-tier architecture is a well-established software application architecture that organizes applications into three logical and physical computing tiers: the presentation tier, or user interface; the application tier, where data is processed; and the data tier, where the data associated with the application is stored and managed.
Thin Client vs Thick Client Differences 👇🏻
Thin Client:
- A thin client connects to a server-based environment that hosts the majority of applications, memory, and sensitive data the user needs.
- Thin clients are often seen in banks and post offices.
Thick Client:
- A thick client is a software that does not need a connection to a server system to operate.
- Microsoft Outlook, Yahoo Messenger, and Skype are some thick client application examples.
How to test thick client applications? 👨💻
Thick Client Pentest is complicated as compared to Web/API Pentest in my opinion. In Thick Client, there are two types (i) Proxy-based Thick clients. (ii) Non-Proxy based thick client (Common).
👨💻The first step to take when facing a thick client application is to gather information, such as:
1. Discovering what technologies are being used on both the client and the server sides.
2. Figuring out the application’s functionality and behavior.
3. Identifying all the different entry points for user input.
4. Understanding the core security mechanisms used by the application.
5. Identifying common vulnerabilities like languages and frameworks.
I. https://cve.mitre.org/cve/search_cve_list.html
II. https://www.exploit-db.com/
List of some known vulnerabilities we might found in Thick Client application.
1. Sensitive data leakage
2. DLL Hijacking
3. Improper Error Handling
4. Injection
5. Reverse Engineering
6. Session Management
7. Insecure Storage
8. SSL/TLS
9. Business Logic
10. Weak encryption checks
Let’s have a look at the set of tools we requires in thick client pentest. Not this (🧑🏻🔧) 😐
List of some known tools we will be using during Thick Client Pentest.
1. Echo mirage
2. Procmon
3. Strings.exe
4. Sysinternals Suite
5. Nmap
6. Testssl
7. Process Hacker
8. Dnspy/ Dot Peek/ VB decompiler
9. Metasploit (To create Mal. DLL file)
10. Fiddler/Burpsuite
11. Wireshark
12. Ollydbg
13. .Net Reflector
14. Winhex
Labs: DVTA — Vulnerable Thick Client Application
https://github.com/secvulture/dvta — Our testing Vulnerable application/Environment for few test cases.
Thick client applications can be developed using various programming languages such as:
1. dot .Net
2. Java
3. C/C++
4. Microsoft Silverlight
We are good to start with the list of vulnerabilities, Test Cases and testing approach. So, Let’s स्टार्ट 🥳👨💻
1. Capturing the request via Echo Mirage.
Echo Mirage enables intercepting non-HTTP traffic between the tested thick client and the local or remote server.
Intercepting requests using this tool, give insight into what kind of data was transmitted between the Client and the remote server.
Echo Mirage can hook into the tested thick client application process so that communication between the tested thick client application and the local or remote server can be intercepted and edited.
When you open the Echo Mirage tool, you will see two main tabs:
Traffic Log — Watch a full record of all messages that have passed through the Proxy.
Rules — Watch the currently configured rules and also add/change/delete interception rules.
Steps:
1: We will configure the rules in order to capture the requests.
Click on rules tab -> select New -> check for below configuration in tab.
- Make sure the intercept option is ticked.
- Port and Address must be *
Once the above are set properly, click on save, and good to go with the further process.
Step 2: Next, Inject the process ID of the testing application by using the left top option to inject the process ID/Execute the application by selecting a file.
Step 3: Once, we are properly hooking the process ID of the testing application. we will be able to capture the requests in Echo Mirage as shown in Figure 2.
Mitigation: It is recommended to build an application on 3 Tier Architecture. Also, Make sure sensitive details do not transmit in GET method request.
2. Hardcoded Sensitive Data:
Tool- dnspy
Description:
dnSpy is a portable debugger and .NET assembly editor for use when editing and debugging assemblies even if the source code isn’t available. dnSpy is intended to assist in decompiling various assemblies allowing you to understand their functionality better.
Steps: Open the testing application in dnspy tool and search for the specific string as shown in figure 5.
Mitigation: It is recommended to remove hardcoded sensitive data.
3. Signature check of thick client application:
Dump file version information and verify that images on your system are digitally signed.
Tool: sigcheck64.exe
cmd: sigcheck64.exe appltnName.exe
POC’s:
1st Scenario: The application is digitally signed.
2nd Scenario: We will test on a vulnerable application.
We will see above POC where the vulnerable application is unsigned.
Mitigation: It is recommended to digitally signed the unsigned thick client application.
4. Sensitive data leakage via Winhex
Description: WinHex is a commercial disk editor and universal hexadecimal editor (hex editor) used for data recovery and digital forensics. Memory analysis tool
Tool: Winhex
Mitigation: Avoid sensitive data leakage.
5. Improper Error Handling:
Description:
Error handling refers to the response and recovery procedures from error conditions present in a software application. In other words, it is the process comprised of anticipation, detection, and resolution of application errors, programming errors, or communication errors.
Mitigation:
A specific policy for how to handle errors should be documented, including the types of errors to be handled and for each, what information is going to be reported back to the user, and what information is going to be logged. All developers need to understand the policy and ensure that their code follows it.
6. Lack of code obfuscation:
When developers do not obfuscate the code when compiling the binary, an attacker can decompile the code using some tools such as JD GUI & Dnspy.
Tool: dnspy
Mitigation:
It is recommended to use a set of software for code obfuscation. Like: ProGuard, JObfuscator, Javaguard, and many others.
7. Config files and other sensitive files might contain sensitive details.
Description: This is another test case where we will see sensitive data in supporting files for sensitive data.
Mitigation: It is recommended for developers to avoid leakage of sensitive details from supporting files.
8. SQL Injection:
I am assuming that we are familiar with this vulnerability, so covering the descriptive part only.
Description:
A SQL injection attack consists of the insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.
Threat Modeling:
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections.
The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.
Mitigation: Recommend implementing Parameterized query with a prepared statement.
9. Sensitive data leakage via strings.exe
Tool: Strings.exe
Dump the data where we will look for sensitive information.
Mitigation: Avoid revealing sensitive data and implement encryption on sensitive data.
10. Open known vulnerable Services:
Tool: Nmap
Useful for inspecting ports used by the thick client.
Mitigation: Close unused ports, implement security policy, and make sure services don’t have the vulnerable reported versions in use.
Closing Words: 🙇
Thank you for staying till here with me, hope it was or will be helpful to you.
That was all for this blog, where we covered some important test cases of thick client testing. Also, Covered basic understanding about architectures and testing approaches.
These are the weaknesses that attackers will try to exploit and that we — as pentesters — need to identify before the attackers do.
I hope that the methodology will be useful to you every time you face Thick Client application. 👨💻🙇
There are more test cases coming, which we will see on the upcoming blog i.e: PART 2 Thick Client Pentest. 👨💻
Last but not the least, find below mentioned my account ID incase of any query. Do not hesitate to reach out and I’ll be sure to do the same.
|| STAY SAFE AND STAY HEALTHY ||
Thank you for staying here and reading this blog,
VIRAJ MOTA (SECURITY ANALYST/Bug Hunter)
LINKEDIN: https://in.linkedin.com/in/viraj-mota/
TWITTER: https://twitter.com/VirajMota_ (Viraj Mota Techie)
References:
https://www.optiv.com/insights/source-zero/blog/thick-client-application-security-testing
https://rattibha.com/thread/1454079811203198979?lang=en
https://docs.microsoft.com/en-us/sysinternals/downloads/
https://resources.infosecinstitute.com/topic/reverse-engineering-ollydbg/
